Privacy statement for customer and partner register Privacy statement for customer and partner registerLast updated: February 27, 2024 Your privacy is important to us and we work hard to protect your information. This privacy statement which is based on the General Data Protection Regulation (EU) 2016/679 (“GDPR“) describes what personal information is being processed by Enersense, how it is processed and for what purposes. 1. Controller of personal dataEnersense International Plc and/or Enersense Group companies hereinafter “Enersense” 2. Contact information for this RegisterYou may contact us, if you have any concerns related to the processing of personal data or the exercise of your rights under the EU Data Protection Regulation. Please contact us by email at privacy@enersense.com. 3. Name of the RegisterCustomer, Partner and Contact Person Register (“Register“). The register contains personal data of former, existing and potential customers’ and co-operation partners’ contact persons. 4. The nature, purposes and the legal basis for the processingProcessing of personal data is necessary for concluding and managing customer relationships or cooperation with Enersense or its affiliated companies. The purpose of the processing of personal data is to maintain a customer relationship, to cooperate, to support sales, to develop business and services and to maintain customer communication in regards to contract compliance and marketing. Personal data is processed only to the extent necessary. Based on data protection regulations, Enersense processes personal data on the following legal basis for processing: Purpose of processing personal dataLegal basis for processingCustomer Relationship Management and Development Customer service and communication Communication related to a possible or terminated contract Tasks related to customer relationship management, customer events and training Marketing and Customer Acquisition Finding potential customers as well as offering services to prospective customers Target marketing and advertising Sending newsletters Collecting personal data through open providers of digital business and consumer information services Using subcontractors for marketing tools Business and Service Development Monitoring and analysis of the service usage as well as e.g. customer segmentation to enable personalized service Quality assurance Development and planning of construction and other projects (e.g., mapping the ownership of land located in the project area) Risk Management Ensuring the security of services Preventing and investigating irregularities Legitimate interest Enersense considers that the purposes defined in this privacy statement are essential for its business and thus has a legitimate interest for processing personal data. Enersense shall make sure that the processing of personal data is proportionate to the interests of the data subject and corresponds with his or her expectations. The data subject has the right to object the processing of personal data according to the requirements of the EU Data Protection Regulation, insofar as the processing is based on the legitimate interest of Enersense. Enersense has also conducted the balancing test as defined by the Data Protection Authority to ensure that the data subject’s interests are taken into account. Performance of Contracts, Offering and Providing Services Customer or co-operation contract compliance Communication on compliance with contracts and the providing and production of services Agreement Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Processing of personal data is necessary to conclude an agreement and to fulfill the contractual obligations between the customer or partner and Enersense or its affiliated companies Statutory Requirement Fulfilment of requirements and obligationsstated in laws, regulations or decisions from authorities and supervisors (e.g. Accounting Act, Prepayment Act) Legal obligation Enersense is obliged to process personal data to comply with its legal obligations.5. Categories of personal data contained in the RegisterThe Register consists of personal data related to the customers’ and partners’ contact persons in the following categories: first name and surname contact details (e.g. phone number, email address, home address) name of the company represented customer and contract information (e.g. name of the contact person in orders and invoicing) position and profession information related to event participation (e.g. food restrictions and allergies upon the data subject’s consent) information regarding contracts with the data subject, such as information on current and past contracts, payment and invoicing details (in case of land lease contracts, information of the property such as owner of the property and property identifier) 6. Duration of processingPersonal data is processed at least for the duration of the customer and contractual relationship or other meaningful relationship with the data subject. Personal data will also be stored after the termination of the customer and contractual relationship for the period necessary to fulfill the purposes defined in this privacy statement. Personal data is erased after the claim period related to a specific customer relationship or service has elapsed. This period is typically ten (10) years. The information of potential customers is stored as long as the storage is necessary for establishing a customer relationship. Personal data processed for analytical or statistical purposes will be anonymised or erased securely at the end of a customer or contractual relationship unless there is a legal basis for the storage. Anonymization means that any identifying information that a person can or could be identified is erased so that data is no longer considered as personal data. Enersense estimates regularly the need for data storage taking into account the applicable legislation. 7. Sources of personal dataPersonal data is primarily collected directly from the customer or co-operation partner. In addition, personal data may be collected and updated from other Enersense Group’s companies registers. Personal data may also be collected from other sources upon the data subject’s consent. When permitted by law, personal data may be collected from registers of third parties, such as: The Population Register Centre registers of other authorities, e.g. Trafi, Trade Register and Register of Foundations, National Land Survey contact service providers credit information registers 8. Transfer of personal data and the categories of recipients of personal data Personal data can be transferred to third parties only when permitted or required by the law. Such recipients of personal data can be e.g., legal or financial consultants and debt collection companies acting as independent data controllers. Personal data may be transferred to affiliates of the Enersense within the limits of the purposes of processing determined above. In addition, personal data can be disclosed in the event of a company acquisition or in order to obtain financing to parties with whom we have entered into appropriate agreements in order to prepare and implement measures that are required by the situation. In these situations, we ensure that necessary confidentiality obligations are in place. Personal data shall not be transferred outside the European Union (“EU“) or the European Economic Area (“EEA“) unless it is necessary in regards to the purposes of processing determined above. In case personal data is transferred outside the EU or the EEA, Enersense shall implement suitable safeguards in order to comply with the requirements of applicable data protection legislation. Enersense may for instance conclude an agreement with a client operating outside the EU or the EEA in accordance with the standard data protection clauses adopted by the European Commission. 9. Security of processing Enersense has appropriate technical and organisational means of data security in order to safeguard data subjects personal data from loss, misuse or other equivalent illegal access. Secure processing of personal data is ensured by providing instructions as well as implementing access management to provide access to designated employees of the Enersense or its affiliates. Personal data is only processed by employees who have the right to do so within the framework of their work duties. Data security is a central part of the core values of the Controller. Therefore data security is evaluated and developed regularly. 10. Rights as a data subjectThe data subject can exercise their rights by contacting us using the information in section 2. The data subject has the following rights as defined by the GDPR: The right to obtain confirmation as to whether or not personal data concerning him or her are being processed, and where that is the case, access to the personal data. The right to have incorrect or incomplete information corrected or completed. The right to request erasure of personal data concerning him or her. The right to restrict processing of personal data, when applicable according to the GDPR. The right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller. The right to object processing of personal data according to the requirements of the GDPR The right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes the GDPR 11. Updates to this privacy statementEnersense seeks to develop its services continuously and thus reserves the right to modify this privacy statement. This privacy statement may also be updated to reflect any changes in applicable laws. Enersense encourages data subjects to periodically review this privacy statement. Enersense may also notify data subjects directly by sending a notification about updates that have material effects to data subjects.